In a business, you have to be mitigating against every kind of threat to your business. While you are securing your systems against external threats by implementing various IT security protocols, all the while taking preventive measures to avoid an attack, you have to consider the possibility of a breach and what actions you should take, in case there is a breach. This is akin to disaster recovery, and a well-thought-out plan should be in place to minimize damages.
In this article let us look at:
A business is vulnerable to attacks both from inside and outside the organization, potentially bringing the business to a grinding halt. It can, not only impact ongoing business but can impact the trust that your customers have in you, it can negatively impact your brand value in the market and ultimately your business can start to shrink.
Do you have a plan to recover from a catastrophe like a major cybercrime incident, be it a cyber-attack or an attack perpetrated by an insider? Do you know have a clear plan on who and what machinery will be scrambled in case of such an attack? How confident are you in the abilities of the people who you think will be the first responders, to be able to manage the incident scene?
All these questions and more will be answered by a well-defined methodology called Incident Response in IT circles. Incident Response allows you to size an incident better, put barriers to stop or minimize the impact of the incident and recover from the incident to BAU as quickly as possible. A well-developed and robust Incident Response plan is your best bet against unpredictable incidents.
An incident is usually a high-pressure situation and in such trying times you need the right decisions to be taken, decisions that are calculated well-enough and the impact of such decisions is known in advance. If you don’t plan for an incident, you or your team is highly likely to make decisions in an ad-hoc manner, which may not guarantee you the best resolution to an incident. In such cases your incident response will be only as good as your IT staff, it will be people dependent and not process dependent.
You want your business to be more of a process-dependent one so that even if people have to move on, away from your business, you have the process to fall back on and run BAU. An Incident Response strategy will help your team make informed decisions, knowing well, the impact of each step taken to tackle the incident across the business.
A well thought out plan to counter incidents is effective only when executed well. To be able to execute the tasks outline in a plan and in quick time, you need a mix of the right talent and leadership. You need a team coming from various domains such as Malware Analysis, Incident management, Digital Forensics, System administrators and to provide clear direction to a stakeholder from the leadership team with experience in incident management.
The Incident Response team is made up of the first line of defence which is Security Operations Centres (SOC), a team that needs to operate 24/7 maintaining a tight vigil on the security situation looking for alerts from an automated system, gathering evidence and report unusual activity to the incident manager or the incidence management team. This team should ideally have access to tools like SIEM (Security Incident Event Manager) and EDR (Endpoint Detection & Response).
There are some low priority incidents that the SOC themselves can tackle and they should be highly aware of the severity of incidents. Higher severity incidents require the involvement of the Incident Management Team.
An Incident Manager depending on the severity of the incident will ensure key stakeholders are involved and a pointed discussion is carried out to hammer out a robust plan of action. Incident managers or the Incident Management Team decide what tasks should be executed and who is better equipped to execute them within the least possible time. All communications in response to an incident is managed by the incident manager or the Incident Management Team.
A bunch of experts highly skilled in niche domains like Malware Analysis, Data Forensics are involved in incidents that have a high severity. The incident manager involves this team based on the severity.
Another group of Threat Intelligence scouts also should make it to the Incident Response team. This team constantly assesses the incident landscape and help in recovering any data lost to the perpetrators of cybercrime.
Let’s put up a stepwise set of guidelines on how to prepare an Incident Response Plan.
The SOC or Security Operations Centre should be prepared well enough to be able to effectively triage incidents. A playbook or set of guidelines on deciding the priority of an incident and the severity of an incident that demands an escalation should be made available to the SOC. These playbooks should be tested well before they are commissioned for use.
To be able to respond to an incident in the most effective way, you should be able to size and scope the incident accurately. Starting with ground zero, you should expand rapidly to know what is the extent of the incident and whether there is a possibility of it crossing internal boundaries. Identification of key changes attributed to the incident can be used to detect other machines that are compromised. An Incident Response team should know what information to look for and the most likely places to look in, to get an idea of the incident footprint.
The containment process should start once the scope is established. Ways of isolating the impacted machines from the rest of the network should be familiar to the team so that the execution is faster in the response to an incident.
Techniques like patching devices, disinfecting machines, disabling compromised user or service accounts are activities that are carried out once the containment is successful. The team should familiar with such tasks and a regular refresher on such tasks will help the team to execute steps for eradication in a more effective manner.
The recovery phase of an incident is focused on returning the business to BAU status as quickly as possible. Knowing what are key functions need to be up as soon as possible will help in prioritizing the restoration of backups. Once recovery is done, monitoring devices for another related incident outbreak is also an important task.
A Post Incident Review should take place and the findings should be shared across the board. A review of how well the incident was managed and any shortcomings found should lead to changes in playbooks for improving response to incidents in the future.
Incident Response Plans should be reviewed on a regular basis to ensure teams are ready with the plan and each member has a task cut out to ensure the impact on business is minimal. Senior Management should ensure the Incident Response team receives adequate support from other stakeholders in the business to be able to design, test and execute their plan efficiently and effectively.
So, have you made up your mind to make a career in Cyber Security? Visit our Master Certificate in Cyber Security (Red Team) for further help. It is the first program in offensive technologies in India and allows learners to practice in a real-time simulated ecosystem, that will give them an edge in this competitive world.